I was working with a customers Red Hat JBoss server today and wanted to test for affected deserialization vulnerabilities. Though my favourite go-to tool – the Burp Suite has many extensions, I wanted to try something that I had not before. That’s when I stumbled across JexBoss, which turned out to be a pretty decent open source tool. I think JexBoss is a play on Java EXploitation like a Boss wording.
What is JexBoss?
JexBoss is an open source tool in Python to help you exploit and verify Java and Red Hat JBoss deserialization vulnerabilities. As we all know, serialization converts and objects state to a byte stream so that a copy of the same object can be obtained by reverting the byte stream itself. Presumably, to deserialize is to reverse serialization, ie. taking the serialized data to rebuild it into the original object. This problem is trivial in Java as there are no checks on the classes that can be deserialized.
Features of JexBoss:
The tool and exploits were developed and tested for:
- JBoss Application Server versions: 3, 4, 5 and 6.
- Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces – JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), DNS gadget, Remote JMX (CVE-2016-3427, CVE-2016-8735), Apache Struts2 Jakarta Multipart parser CVE-2017-5638, etc.)
- Supported exploitation vectors are:
- /admin-console: Tested and working in JBoss versions 5 and 6.
- /jmx-console: Tested and working in JBoss versions 4, 5 and 6.
- /jmx-console/HtmlAdaptor: Tested and working in JBoss versions 4, 5 and 6.
- /web-console/Invoker: Tested and working in JBoss versions 4, 5 and 6.
- /invoker/JMXInvokerServlet: Tested and working in JBoss versions 4, 5 and 6.
- Application Deserialization: Tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters.
- Servlet Deserialization: Tested and working against multiple java applications, platforms, etc, via servlets that process serialized objects.
- Apache Struts2 Jakarta Multipart (CVE-2017-5638): Tested against Apache Struts 2 applications.
- Tries to authenticate to /admin-console/login.seam using default user name and password – admin:admin.
- Sends exploits with proper headers alternating with random User-Agent string.
- Proxy support.
- Auto scan and file scan modes.
With the auto scan and file scan modes, you can leverage this tool to launch a mass-scan against your own network in a short duration of time. Additionally, a payload also allows you to gain access to a reverse shell with Metasploit meterpreter support. Another good news is that it JexBoss is Python 2 & Python 3 compatible. It also includes an auto-updater.
As always, the current version – JexBoss version 1.2.4 – can be obtained by checking out the GIT repository from here.